Chromium Code Reviews Chromium Code Reviews
Issue 2727713003:
Update FWMP in TPM (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 22 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" | 22 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" |
| 23 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" | 23 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" |
| 24 #include "chrome/browser/chromeos/profiles/profile_helper.h" | 24 #include "chrome/browser/chromeos/profiles/profile_helper.h" |
| 25 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" | 25 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" |
| 26 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h " | 26 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h " |
| 27 #include "chrome/browser/profiles/profile.h" | 27 #include "chrome/browser/profiles/profile.h" |
| 28 #include "chrome/common/channel_info.h" | 28 #include "chrome/common/channel_info.h" |
| 29 #include "chromeos/attestation/attestation_flow.h" | 29 #include "chromeos/attestation/attestation_flow.h" |
| 30 #include "chromeos/chromeos_switches.h" | 30 #include "chromeos/chromeos_switches.h" |
| 31 #include "chromeos/dbus/auth_policy_client.h" | 31 #include "chromeos/dbus/auth_policy_client.h" |
| 32 #include "chromeos/dbus/cryptohome/rpc.pb.h" | |
| 32 #include "chromeos/dbus/dbus_thread_manager.h" | 33 #include "chromeos/dbus/dbus_thread_manager.h" |
| 33 #include "chromeos/dbus/upstart_client.h" | 34 #include "chromeos/dbus/upstart_client.h" |
| 34 #include "components/version_info/version_info.h" | 35 #include "components/version_info/version_info.h" |
| 35 #include "google_apis/gaia/gaia_auth_util.h" | 36 #include "google_apis/gaia/gaia_auth_util.h" |
| 36 #include "google_apis/gaia/gaia_urls.h" | 37 #include "google_apis/gaia/gaia_urls.h" |
| 37 #include "net/http/http_status_code.h" | 38 #include "net/http/http_status_code.h" |
| 38 | 39 |
| 39 namespace em = enterprise_management; | 40 namespace em = enterprise_management; |
| 40 | 41 |
| 41 namespace policy { | 42 namespace policy { |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 69 case EnrollmentConfig::MODE_ATTESTATION: | 70 case EnrollmentConfig::MODE_ATTESTATION: |
| 70 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION; | 71 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION; |
| 71 case EnrollmentConfig::MODE_ATTESTATION_FORCED: | 72 case EnrollmentConfig::MODE_ATTESTATION_FORCED: |
| 72 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED; | 73 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED; |
| 73 } | 74 } |
| 74 | 75 |
| 75 NOTREACHED() << "Bad enrollment mode: " << mode; | 76 NOTREACHED() << "Bad enrollment mode: " << mode; |
| 76 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; | 77 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; |
| 77 } | 78 } |
| 78 | 79 |
| 80 // Returns whether block_devmode is set. Must only be invoked after the policy | |
|
Thiemo Nagel
2017/03/27 17:21:47
Nit: The 2nd sentence is obsolete now.
igorcov
2017/03/28 16:39:09
Done.
| |
| 81 // has been retrieved. | |
| 82 bool GetBlockdevmodeFromPolicy( | |
| 83 enterprise_management::PolicyFetchResponse* policy) { | |
|
Thiemo Nagel
2017/03/27 17:21:47
Nit: const
igorcov
2017/03/28 16:39:09
Done.
| |
| 84 DCHECK(policy); | |
| 85 em::PolicyData policy_data; | |
| 86 if (!policy_data.ParseFromString(policy->policy_data())) { | |
| 87 LOG(ERROR) << "Failed to parse policy data"; | |
| 88 return false; | |
| 89 } | |
| 90 | |
| 91 em::ChromeDeviceSettingsProto payload; | |
| 92 if (!payload.ParseFromString(policy_data.policy_value())) { | |
| 93 LOG(ERROR) << "Failed to parse policy value"; | |
| 94 return false; | |
| 95 } | |
| 96 | |
| 97 bool block_devmode = false; | |
| 98 if (payload.has_system_settings()) { | |
| 99 const em::SystemSettingsProto& container = payload.system_settings(); | |
| 100 if (container.has_block_devmode()) { | |
| 101 block_devmode = container.block_devmode(); | |
| 102 } | |
| 103 } | |
| 104 | |
| 105 return block_devmode; | |
| 106 } | |
| 107 | |
| 79 } // namespace | 108 } // namespace |
| 80 | 109 |
| 81 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( | 110 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( |
| 82 DeviceCloudPolicyStoreChromeOS* store, | 111 DeviceCloudPolicyStoreChromeOS* store, |
| 83 chromeos::InstallAttributes* install_attributes, | 112 chromeos::InstallAttributes* install_attributes, |
| 84 ServerBackedStateKeysBroker* state_keys_broker, | 113 ServerBackedStateKeysBroker* state_keys_broker, |
| 85 chromeos::attestation::AttestationFlow* attestation_flow, | 114 chromeos::attestation::AttestationFlow* attestation_flow, |
| 86 std::unique_ptr<CloudPolicyClient> client, | 115 std::unique_ptr<CloudPolicyClient> client, |
| 87 scoped_refptr<base::SequencedTaskRunner> background_task_runner, | 116 scoped_refptr<base::SequencedTaskRunner> background_task_runner, |
| 88 chromeos::ActiveDirectoryJoinDelegate* ad_join_delegate, | 117 chromeos::ActiveDirectoryJoinDelegate* ad_join_delegate, |
| (...skipping 301 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 390 const std::string& access_token, | 419 const std::string& access_token, |
| 391 int expires_in_seconds) { | 420 int expires_in_seconds) { |
| 392 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); | 421 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 393 | 422 |
| 394 robot_refresh_token_ = refresh_token; | 423 robot_refresh_token_ = refresh_token; |
| 395 | 424 |
| 396 SetStep(STEP_AD_DOMAIN_JOIN); | 425 SetStep(STEP_AD_DOMAIN_JOIN); |
| 397 StartJoinAdDomain(); | 426 StartJoinAdDomain(); |
| 398 } | 427 } |
| 399 | 428 |
| 429 void EnrollmentHandlerChromeOS::SetFirmwareManagementParametersData() { | |
| 430 DCHECK_EQ(STEP_SET_FWMP_DATA, enrollment_step_); | |
| 431 | |
| 432 install_attributes_->SetBlockDevmodeInTpm( | |
| 433 GetBlockdevmodeFromPolicy(policy_.get()), | |
| 434 base::Bind( | |
| 435 &EnrollmentHandlerChromeOS::OnFirmwareManagementParametersDataSet, | |
| 436 weak_ptr_factory_.GetWeakPtr())); | |
| 437 } | |
| 438 | |
| 439 void EnrollmentHandlerChromeOS::OnFirmwareManagementParametersDataSet( | |
| 440 chromeos::DBusMethodCallStatus call_status, | |
| 441 bool result, | |
| 442 const cryptohome::BaseReply& reply) { | |
| 443 DCHECK_EQ(STEP_SET_FWMP_DATA, enrollment_step_); | |
| 444 if (!result) { | |
| 445 LOG(ERROR) | |
| 446 << "Failed to update firmware management parameters in TPM, error: " | |
| 447 << reply.error(); | |
| 448 } | |
| 449 | |
| 450 SetStep(STEP_LOCK_DEVICE); | |
| 451 StartLockDevice(); | |
| 452 } | |
| 453 | |
| 400 // GaiaOAuthClient::Delegate | 454 // GaiaOAuthClient::Delegate |
| 401 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse( | 455 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse( |
| 402 const std::string& access_token, | 456 const std::string& access_token, |
| 403 int expires_in_seconds) { | 457 int expires_in_seconds) { |
| 404 // We never use the code that should trigger this callback. | 458 // We never use the code that should trigger this callback. |
| 405 LOG(FATAL) << "Unexpected callback invoked."; | 459 LOG(FATAL) << "Unexpected callback invoked."; |
| 406 } | 460 } |
| 407 | 461 |
| 408 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request. | 462 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request. |
| 409 void EnrollmentHandlerChromeOS::OnOAuthError() { | 463 void EnrollmentHandlerChromeOS::OnOAuthError() { |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 420 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); | 474 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 421 LOG(ERROR) << "Network error while fetching API refresh token: " | 475 LOG(ERROR) << "Network error while fetching API refresh token: " |
| 422 << response_code; | 476 << response_code; |
| 423 ReportResult( | 477 ReportResult( |
| 424 EnrollmentStatus::ForRobotRefreshFetchError(response_code)); | 478 EnrollmentStatus::ForRobotRefreshFetchError(response_code)); |
| 425 } | 479 } |
| 426 | 480 |
| 427 void EnrollmentHandlerChromeOS::StartJoinAdDomain() { | 481 void EnrollmentHandlerChromeOS::StartJoinAdDomain() { |
| 428 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); | 482 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); |
| 429 if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) { | 483 if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) { |
| 430 SetStep(STEP_LOCK_DEVICE); | 484 SetStep(STEP_SET_FWMP_DATA); |
| 431 StartLockDevice(); | 485 SetFirmwareManagementParametersData(); |
| 432 return; | 486 return; |
| 433 } | 487 } |
| 434 DCHECK(ad_join_delegate_); | 488 DCHECK(ad_join_delegate_); |
| 435 ad_join_delegate_->JoinDomain( | 489 ad_join_delegate_->JoinDomain( |
| 436 base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined, | 490 base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined, |
| 437 weak_ptr_factory_.GetWeakPtr())); | 491 weak_ptr_factory_.GetWeakPtr())); |
| 438 } | 492 } |
| 439 | 493 |
| 440 void EnrollmentHandlerChromeOS::OnAdDomainJoined(const std::string& realm) { | 494 void EnrollmentHandlerChromeOS::OnAdDomainJoined(const std::string& realm) { |
| 441 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); | 495 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); |
| 442 CHECK(!realm.empty()); | 496 CHECK(!realm.empty()); |
| 443 realm_ = realm; | 497 realm_ = realm; |
| 444 SetStep(STEP_LOCK_DEVICE); | 498 SetStep(STEP_SET_FWMP_DATA); |
| 445 StartLockDevice(); | 499 SetFirmwareManagementParametersData(); |
| 446 } | 500 } |
| 447 | 501 |
| 448 void EnrollmentHandlerChromeOS::StartLockDevice() { | 502 void EnrollmentHandlerChromeOS::StartLockDevice() { |
| 449 DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); | 503 DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); |
| 450 // Since this method is also called directly. | 504 // Since this method is also called directly. |
| 451 weak_ptr_factory_.InvalidateWeakPtrs(); | 505 weak_ptr_factory_.InvalidateWeakPtrs(); |
| 452 | 506 |
| 453 install_attributes_->LockDevice( | 507 install_attributes_->LockDevice( |
| 454 device_mode_, domain_, realm_, device_id_, | 508 device_mode_, domain_, realm_, device_id_, |
| 455 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult, | 509 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult, |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 599 callback.Run(status); | 653 callback.Run(status); |
| 600 } | 654 } |
| 601 | 655 |
| 602 void EnrollmentHandlerChromeOS::SetStep(EnrollmentStep step) { | 656 void EnrollmentHandlerChromeOS::SetStep(EnrollmentStep step) { |
| 603 DCHECK_LE(enrollment_step_, step); | 657 DCHECK_LE(enrollment_step_, step); |
| 604 VLOG(1) << "Step: " << step; | 658 VLOG(1) << "Step: " << step; |
| 605 enrollment_step_ = step; | 659 enrollment_step_ = step; |
| 606 } | 660 } |
| 607 | 661 |
| 608 } // namespace policy | 662 } // namespace policy |
| OLD | NEW |
